HOW THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) WILL IMPACT YOUR BUSINESS ACQUISITION HOUR WEBINAR April 24, 2020 4/24/20
WEBINAR ETIQUETTE PLEASE Log into the GoToMeeting session with the name that you registered with online Place your phone or computer on MUTE Use the CHAT option to ask your question(s). We will share the questions with our guest speaker who will respond to the group THANK YOU! 4/24/20 Page 2
ABOUT WPI SUPPORTING THE MISSION Celebrating 32 Years of serving Wisconsin Business! 4/24/20 Page 3
Assist businesses in creating, developing and growing their sales, revenue and jobs through Federal, state and local government contracts. INDIVIDUAL CONSELING – At our offices, at clients facility or via telephone/GoToMeeting SMALL GROUP TRAINING – Workshops and webinars CONFERENCES to include one on one or roundtable sessions Last year WPI provided training at over 100 events and provided service to over 1,200 companies WPI is a Procurement Technical Assistance Center (PTAC) funded in part by the Defense Logistics Agency (DLA), WEDC and other funding sources. 4/24/20 Page 4
WPI OFFICE LOCATIONS MILWAUKEE OSHKOSH Fox Valley Technical College Technology Innovation Center Greater Oshkosh Economic Development Corporation MADISON EAU CLAIRE FEED Kitchens Western Dairyland Dane County Latino Chamber of Commerce Wisconsin Manufacturing Extension Partnership MENOMONIE (WMEP) Madison Area Technical College (MATC) Dunn County Economic Development Corporation CAMP DOUGLAS LADYSMITH Juneau County Economic Development Indianhead Community Action Agency Corporation (JCEDC) RHINELANDER STEVENS POINT Nicolet Area Technical College IDEA Center GREEN BAY APPLETON Advance Business & Manufacturing Center Fox Valley Technical College 4/24/20 Page 5
www.wispro.org 4/24/20 Page 6
CMMC How the Cybersecurity Maturit ity Model Certif ification (C (CMMC) Will ill Im Impact Your Business Marc N. Violante Wisconsin Procurement Institute April 24, 2020
8 What we know - Current Cyber Obligations • 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems • 252.204-7008 - Compliance with safeguarding covered defense information controls • 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting • DON – Geurts memos – CDRL requirements • Other requirements 4/24/2020
Information Security 9 Obligations/Requirements • 252.204-7000 – Disclosure of Information • DOD Directive 5230.25 Withholding of Unclassified Technical Data from Public Disclosure • DOD Instruction 5230.24 Distribution Statements on Technical Documents • Canadian Technical Data Control Regulations (TCDR) • State Department, Directorate of Defense Trade Controls • Commerce Control List • DLA Requirements – • DLA Export Control Data Access 4/24/2020
10 What we don’t know • New DFARs (Strategic Assessment) – in addition to 252.204-7012 • Definitions of/examples of products/services contained in each level • Examples of good-acceptable policies/procedures • Certification process – “is there more than one correct answer?” • Timing • Inclusion in RFQs/RFPs • Specified CMMC v1.x? • Assessor process, engagement, scheduling, cost • CMMC Level repository, access to and/or use • Clarity with respect to trainers/consultants/etc • “Oklahoma Land Rush” – caveat emptor 4/24/2020
11 CMMC – How much information to expect? • Some thoughts • CMMC v1.2 is published • DFARS 252.204-7012 is current • DFARS “Strategic Assessment” – draft rule yet to be published • CMMC (Level – 1:5) – award determination • Procurement information can be CUI - https://www.archives.gov/cui/registry/category-detail/procurement-acquisition.html • Banner Format: CUI//Category Marking//Limited Dissemination Control • Material and information relating to, or associated with, the acquisition and procurement of goods and services, including but not limited to, cost or pricing data, contract information, indirect costs and direct labor rates. • Banner Format: CUI//Category Marking//Limited Dissemination Control • Per FAR 2.101: any of the following information that is prepared for use by an agency for the purpose of evaluating a bid or proposal to enter into an agency procurement contract, if that information has not been previously made available to the public or disclosed publicly: (Items 1- 10). 4/24/2020
12 CMMC – it’s about the “it’s” • It’s not static – it will evolve • It’s not a one size fits all – • Different companies, • Different requirements • Level of complexity • Programs need to be • Tailored • Monitored – evaluated • Updated - refreshed • It’s not a checklist – Critical Thinking dominant theme 4/24/2020
13 Topics to consider • Tunnel vision – • Singular focus on CMMC (lack of integration with other requirements) • Lack of investment • time | training | other resources | situational awareness – what’s changing? • Mindset • What’s important • Certification via delegation (designation) • Lack of active involvement by top management 4/24/2020
14 What are the main issues (barriers) • Familiarity – What if the question (perspective) were changed? • Understanding of – • Technology • Terms • Threat • How/why process and/or procedures work • How does a process solve a problem? • Why is documentation needed? • How much is enough? • What am I trying to show (demonstrate)? • Why can’t I just say – we are doing that? 4/24/2020
15 The desired end state • build • a cyber-safe, defense industrial base • cyber-secure and • cyber-resilient Another idea that has been frequently used has been the concept of Critical Thinking Ellen M. Lord, Assistant Secretary of Defense for Acquisition, Press Briefing transcript, January 31, 2020 4/24/2020
16 CMMC (FCI v. CUI) – important details Controlled Unclassified Information (CUI) Federal Contract Information (FCI) • DFARS 252.204-7012 • FAR 52.204-21 • Adequate Security (NIST 800-171 r2) • 15 FAR elements map to 17 • Malware ID | Capture | “defang” |share CMMC elements • Monitor for incidents • Flowdown – substance of clause • Report generation – • CMMC v1.2 • Medium Assurance Certificate • Forensics – freeze 90 days • “Include this clause, including this paragraph (m)” • CMMC v1.2 – NIST 800-171 r2 + rev b 4/24/2020
17 Apply definitions – track source dates • the subcontractor may have Federal contract information residing in or transiting through its information system. • FAR 52.204-21 • “Covered contractor information system” means an Compare unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. • DFARS 252.204-7012 • SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019) • CDI = CTI + CUI 4/24/2020
18 Background – maturity model • In general, a maturity model is a set of • characteristics, • attributes, • indicators, • or patterns • that represent capability and progression in a particular discipline. • provides a benchmark against which an organization can evaluate the current level of capability of its • processes, practices, and methods and set goals and priorities for improvement. https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf pg 4 4/24/2020
19 CMMC – definition of a policy https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf B-2 4/24/2020
20 Contract Information General Relationships Public Non Public No Restriction DoD New DFARS Company Customer DFARS ~ Strategic Proprietary Information Assessment 252.204-7000 Distribution List FCI (L1) CUI (L3-L5) DFARS FAR Other 252.204-7008 Requirements 52.204-21 252.204-7012 4/24/2020
21 New DFARS 4/24/2020
22 Information Security - today • Categories of information – • Federal Contract Information • Covered Defense Information = CTI & CUI • Controlled Unclassified Information • Impact Level • Export Controlled • JCP • ITAR • Other • Corporate – internal • Customer – contract/proprietary 4/24/2020
23 Commonalities • There are requirements – regulations • These apply to different categories of information ID & mark ID/Know Tailored Apply program Monitor & each and Program training for requirements Update as every Requirements staff to information needed document 4/24/2020
24 CMMC – DoD’s perspective Department of Defense Press Briefing by Undersecretary of Defense for Acquisition and Sustainment Ellen M. Lord Oct. 18, 2019 4/24/2020
25 Slight Change 4/24/2020
26 Become familiar with references Specifications for Minimum Security Requirements FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems; pg 2 4/24/2020
Recommend
More recommend